'Less' means more to malware authors targeting Linux users

Running the 'less' Linux command on files downloaded from the Internet is dangerous, a researcher says.

Using the "less" Linux command to view the contents of files downloaded from the Internet is a dangerous operation that can lead to remote code execution, according to a security researcher.

At first glance, less appears to be a harmless command that outputs a file's content to a terminal window and allows the users to navigate forward and backward through it. Less does not allow file editing, which is a job for file editors like the widely used vi, but has the benefit of displaying data on the fly without needing to load an entire file into memory. This is useful when dealing with large files.

Less is frequently used to view text files, but on many Linux distributions, including Ubuntu and CentOS, it supports many more file types including archives, images and PDF. That's because, on these systems, less is extended through a script called lesspipe that relies on different third-party tools to process files with various extensions.

When Zalewski ran a fuzzing program -- a vulnerability testing tool that feeds malformed input to applications -- against the cpio file archiving utility, one of the programs supported by lesspipe, it quickly identified a memory bug that can lead to arbitrary code execution.

"While it's a single bug in cpio, I have no doubt that many of the other lesspipe programs are equally problematic or worse," the researcher said.

"I agree to both of you and to me it is an important issue," one user named Bernhard Hermann replied to Zalewski and another researcher's posts. "I don't want to be infected with malware while checking whether a file is malware or my distro [Linux distribution] doing something in the background that I'm not even aware of."